a space for me to share weird problems and hacks i encounter in my profession

fredag den 30. maj 2014

System Center Service Manager Automation

I’ve never worked with SCSM before, but a few weeks back I was asked to implement some automation processes using Microsoft Orchestrator (also a new product for me).

One of the jobs needed to add a user to a group, and you would expect something so simple would be easy. But after reading this guide, I ended up with this

Are you freaking kidding me ? My life is just to short for that, so after a while I ended up with this instead

The main problem lies in the fact that you need to fetch a lot of related objects. You start by sending the GUID of the Automation job inside SCSM. You then get the related objects, and finally you fetch the real AD objects. The job will of course fail if the user is already member of the group, so feel free to add 5-10 more steps for check group members ships too. Gaaaahhh

So lets look at the PowerShell script instead. First a little back ground. To run PowerShell scripts you need to install a Management pack. I choose Orchestrator Integration Pack for PowerShell Script Execution . Next we need a way to “talk” with SCSM from PowerShell, and I choose SMLETS for that. You need to be aware you can run into some issues with “double hob” when running the PowerShell scripts, so I choose to configure an service account and configure the PowerShell scripts to run on the SCSM server, and the use CredSSP as authentication scheme.

And we of course need to pass the GUID of the automation job in SCSM to the PowerShell script

And now to the good part. I’ve attached 2 scripts like the “normal” examples you find while goggling. “Add self to group” and “add user to group”. The first assumes an AD Group object has been associated with the Service Request. The latter, assumes an AD User Object and AD Group Object has been associated with the Service Request. You could associate the objects with either the Automation Request or Service Request, doesn’t really matter, the script is easy to modify for either.

As an added bonus you will also find some scripts for handling office 365 subscripts, users, licenses and management of SharePoint Online Service users in a federated environment. And notes about how to call Orchestrator run books from PowerShell completely dynamically with parameters.(download link)

if($aduser -and $adgroup){ WriteHost "Ensuring $($aduser.UserPrincipalName) is a member of '$($adgroup.Name)'" -class $logscope# and now. The moment we have all been wating for .. Tadaaaaa, drum roll, blow the trompets, scream hale-juja, and add the user to the group! Add-ADGroupMember -Identity $adgroup -Members $aduser} else { WriteHost "Failed locating user or group in ad!" -class $logscope Throw "Failed locating user or group in ad!"}